I set up a VPN on Windows Server 2008 through the Routing and Remote Access Features.

My goal is simple. When I'm connected to the VPN, I should be able to access the shares by server name "\servername\" as thought I'm on the server's LAN and when I'm not connected to the VPN, I should not be able to access them.

Unfortunately, after connecting to the server's VPN, I cannot access it.

Additional Info:

My user account on the server is set to allow Dial In access; hence I can connect to the VPN successfully.

The VPN network shows up on the server in Network and Sharing Center as "RAS (Dial In) Interface (Private Network)".

I'm not sure whether the VPN connection on the client should have the "Use default gateway on remote network" option checked. When it's checked, I lose internet access on the client, but I suspect it needs to be checked to force the SMB traffic through the VPN?

Is it sufficient to allow "File and Printer Sharing" exceptions on the server's firewall for "Private network" profile only? I don't want those exceptions enabled on the public network, just the "RAS (Dial In) Interface (Private Network)".

Do I need a static route to somehow get the VPN traffic to the main NIC? There's only one NIC, so do service binding affect this?

The "Routing and Remote Access Properties" IPv4 tab has "Enable IPv4 Forwarding" checked, and the IPv4 address assignemnt is "Static address pool" with a range between 192.168.1.100 to 192.168.1.200, with an IP address of 192.168.1.0 and a mask of 255.255.255.0 (which matches the subnet mask of my main NIC).

Give us some clue as to what happens (as in do you get any messages when trying to access the shares) and how the VPN is configured to assign ip addresses to the clients.
–
joeqwertySep 24 '12 at 23:34

I set up a static IP pool, so my client's IP is 192.168.1.101.
–
TriynkoSep 24 '12 at 23:35

OK, that means that the VPN clients should use the same DNS servers that are set on the VPN servers VPN NIC. What DNS servers are set there? Can you confirm what DNS servers are listed for the VPN connection on the client when it's connected?
–
joeqwertySep 24 '12 at 23:37

The DNS servers are the same. The default gateway is always blank, reguardless of whether I have the "Use default gateway on remote network" option checked in the advanced IPv4 settings of the client connection. I leave it unchecked, however, so I can still access the internet from the client.
–
TriynkoSep 24 '12 at 23:40

Perhaps this is helpful. If I open port 445 on the the "Public" network profile on the server's firewall, then I can connect. The problem, however, is that I can access the shares, with or without the VPN connected, and that's obviously a problem. So.. I thought I could enable all the firewall exceptions for "File and Printer Sharing" for the "private" profile only on the server, thinking it would apply only to the VPN, but then I cannot access the shares. So.. the routing is what's mysterious to me.
–
TriynkoSep 24 '12 at 23:48

1 Answer
1

With the "Use default gateway on remote network" option turned off on the VPN connection (VPN Connection > Properties > Networking Tab > IPv4 (List Item) Properties > Advanced Button), you get what's called a "split tunnel". The way it's supposed to work is that instead of all your traffic going through the VPN, all your Internet traffic goes through your normal default gateway, and only select traffic, addressed to your VPN server or network, will go through the VPN tunnel.

The problem is that Windows 7 routing tables are wrong by default. FAIL!!!

It generates bad tables, so that it does not properly route traffic over the VPN. For example, my VPN was set to connect to a server called "my.domain.com". Suppose my.domain.com's IP is 1.2.3.4. When I ran a "route print" command on the client, I could see that the entry for 1.2.3.4 was pointing to my local gateway, instead of the gateway for the VPN server. The VPN server's gateway can be found by either looking at the gateways listed in the "route print" command's output on the client that's connected to the VPN, or on the VPN server go to "Server Manager > Roles > Network Policy and Access Services > Routing and Remote Access > IPv4 > General", and the "Internal" interface's IP Address is the gateway you need. Suppose, for example, it's 1.2.3.100.

There were even other entries in the table that seemed to be circular. So, I used a command like this on the client: "route delete 1.2.3.4" to delete the incorrect route for my VPN server's IP, and added a correct one with a command like this "route add 1.2.3.4 mask 255.255.255.255 1.2.3.100 IF 28", where 1.2.3.100 was the gateway of my VPN server, and the "28" was the InterFace (IF) number for my VPN connection listed in the output of the "route print" command.

After that, when I entered "\my.domain.com\" in Explorer, it was properly routing the traffic through the VPN tunnel. It arrived on the network, appearing to come from a local IP (statically allocated via "Server Manager > Roles > Network Policy and Access Services > Routing and Remote Access (Properties) > IPv4 Tab > IPv4 Address Assignment Group > Static Address Pool Option), and so it made it through the firewall exception for File and Printer Sharing on the "public" network which restricted remote addresses to the ranges in the static pool that I specified.